
EuropMisches Ratontamt 
European Patent Office 
Office europfen des brevets 




(12) 



(43) Date ot publication: 

2&11.2OT0 Bulletin 200Q/48 



(n) EP 1 055 §90 A1 

EUROPEAN PATENT APPLICATION 

(61) lntCl7: G06F 1/00 



(21) Application number: 99304163.6 

(22) Date of filing: 2&0&t939 



(84) Designated Contract!^ States: 

£T6i CkWCYBBOKKRFRQB OR IE IT LI UU 
MCNLPTSE 

Designated Extension States: 
AL LTLV MKROSI 

(71) Applicant: Hewlett-Packard Company 
Palo Afto, California 94304-1112 (US) 

(72) Inventors: 

• Proudter, Graeme 
Bristol BS34 85CO{GB) 



• ftatacheff, Boris 

BS31 2HJ (GB) 

Bristol BS9 3PZ (GB) 

• Chan, David 
California CA 95030 (US) 

(74) Representative: Lawman, Matthew John Mitchell 
Hewlett-Packard Limited, 
IP Sect ton, 
Bunding 3, 
Rfton Road 

Stoke Gtfford, Bristol BS34 602 (GB) 



(54) Event logging in a computing platform 

(57) There Is disclosed a computer entity having a 
trusted component which compiles an event log for 
events occurring on a computer platform. The event log 
contains ©vent data of types which are pre^specified by 
a user by inputting details through a dialogue display 
generated by the trusted component. Items which can 
be monitored include data files, applications drivers and 
the like. The trusted component operates through a 
monitoring agent which may be launched onto the com- 
puter platform. The monitoring agent may be periodical- 
ly interrogated to make sure that it is operating correctly 
and responding to interrogations by the trusted compo- 
nent. 




Agent obtains event data from user specified 
logical entity, eg. File, driver or application 




Agent reports event data to trusted componei 



<s > and st 



rusted component creates event log fHe 
stores received event data In trusted memory 



srmined user specified period etc 



v 1200 

a><^ 

»nt^^> 
tory^^ 



3 

IP 



a 

UJ 



Trusted component applies cryptographic 
functions to event log data to provide secure 
em loo file 




Trusted component writes secure event 
I file to memory in either trusted space or 



1204 

> 

1205 

user 



Fig. 12 



Printed by Jouve, 75001 PAHIS (FR) 



3 



EP 1 055 990 A1 



4 



form and the status of the data within the platform 
or system is dynamic and difficult to predict. It is dif- 
ficult to determine whether a computer platform is 
operating correctly because the state of the compu- 
ter perform and data on the platform is constantly s 
changing and the computer platform itself may be 
dynamically changing. 

• From a security point of view, commercial computer 
pteftorms, in particular client platforms, are often 
deployed in environments which are vulnerable to 
unauthorised modification. The main areas of vul- 
nerability include modification by software loaded 
by a user, or by software loaded via a network con- 
nection. Particularly, but not exclusively, conven- 
tional computer platforms may be vulnerable to at- 
tack by virus programs, with varying degrees of hos- 
tility. 

• Computer platforms may be upgraded or their ca- 
pabilities extended or restricted by physical modifi- 
cation, i.e. addition or deletion of components such 
as hard disk drives, peripheral drivers and the like. 

[0008] It is known to provide certain security features 
in computer systems, embedded in operating software. 
These security features are primarily aimed at providing 
division of information within a community of users of 
the system. 

[0009] In the known Microsoft Windows NT™ 4.0 op- 
erating system, there also exists a monitoring facility 
caBed "system log event viewer 0 in which a log of events 
occurring within the platform is recorded into an event 
log data file which can be inspected by a system admin- 
istrator using the windows NT operating system soft- 
ware. This facility goes someway to enabling a system 
administrator to security monitor preselected events. 
The event logging function in the Windows NT™ 4.0 op- 
erating system is an example of system monitoring. 
P&tt 0] However, in terms of overall security of a com- 
puter platform, a purely software based system is vul- 
nerable to attack, for example by viruses. The Microsoft 
Windows NT™ 4.0 software includes a virus guard soft- 
ware, which is preset to look for known viruses. Howev- 
er, virus strains are developing continuously, and the vi- 
rus guard software will not guard against unknown vi- 
ruses. 

[0011] Further, prior art monitoring systems for com- 
puter entities focus on network monitoring functions, 
where an administrator uses network management soft- 
ware to monitor performance of a plurality of network 
computers. Also, trust in the system does not reside at 
the level of individual trust of each hardware unit of com- 
puter platform in a system. 

Summary of the Invention 

[001 2] Specific implementations of the present inven- 



tion provide a computer platform having a trusted com- 
ponent which is physically and logically distinct from a 
computer platform. The trusted component has the 
properties of unforgabiJity, and autonomy from the com- 
puter platform with which it is associated. The trusted 
component monitors the computer platform and thereby 
may provide a computer platform which is monitored on 
an individual basis at a tevel beneath a network moni- 
toring or system monitoring level. Where a plurality of 
computer pWorms are networked or included in the 
system, each computer platform may be provided with 
a separate corresponding respective trusted compo- 
nent. 

(0013] Specific impfememations of the present inven- 
tion may provide a secure method of monitoring events 
occurring on a computer platform, in a manner which is 
incorruptible by alien agents present on the computer 
platform, or by users of the computer platform, in a man- 
ner such that if any corruption of the event log takes 
place, this is immediately apparent. 
[0014] • According to a first aspect of the present inven- 
tion there is provided a computer entity comprising a 
computer platform comprising a data processor and at 
least one memory device; and a trusted component, 
said trusted component comprising a data processor 
and at least one memory devise; wherein said data proc- 
essor and said memory of said trusted co m pon enfcare 
physically and logically distinct from said data processor 
and memory of said computer platform; and means-for 
monitoring a plurality of events occurring on said com- 
puter platform. 

[0015] Preferably said monitoring means composes 
a software agent operating on said computer platfosrm, 
for monitoring at least one event occurring on said com- 
puter platform, and reporting said went to said trusted 
component. 

[0016] Said software agent may comprise a set of pro- 
gram code normally resident in said memory device of 
said trusted component, said code being transferred in- 
to said computer platform for performing monitoring 
functions on said computer platform. 
[0017] Preferably said trusted component comprises 
an event logging component for receiving data describ- 
ing a plurality of events occurring on said computer plat- 
form, and compiling said event data into a secure event 
data. 

[0018] Preferably said event logging component com- 
prises means for applying a chaining function to said 
event data to produce said secure event data. 
[0019] Selections of events and entities to be moni- 
tored may be selected by a user by operating a display 
interface for generating an interactive display compris- 
ing: means for selecting an entity of said computer plat- 
form to be monitored; and means for selecting at least 
one event to be monitored. 

[0020] The monitoring means may further comprise 
prediction means for predicting a future value of at least 
one selected parameter. 
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Fig. 2 illustrates schematically connectivity of se- 
lected components of the computer entity of Fig. 1 ; 

Fig. 3 illustrates schematically a hardware architec- 
ture of components of the computer entity of Fig. 1 ; 5 

Fig. 4 illustrates schematically an architecture of a 
trusted component comprising the computer entity 
of Fig; 1; 

10 

Fig, 5 illustrates schematically a logical architecture 
of the computer entity, divided into a monitored user 
space, resident on the computer platform and a 
trusted space resident on the trusted component; 

15 

Fig. 6 illustrates schematically components of a 
monitoring agent which monitors events occurring 
on the computer ptatform and reports back to the 
trusted component; 

20 

Fig. 7 illustrates schematically logical components 
of the trusted component itself; 

Fig, 8 illustrates schematically process steps car- 
ried out for establishing a secure communication 25 
between the user and the trusted component by 
way of a display on a monitor device; 

Fig. 9 illustrates schematically process steps for se- 
lecting security monitoring functions using a display 30 
monitor; 

Fig. 10 illustrates schematically a first dialogue box 
display generated by the trusted component; 

35 

Fig. 11 Hlustrates schematically a second dialogue 
box display used for entering data by a user; 

Fig. 12 illustrates schematically operations carried 
out by the monitoring agent and the trusted compo- *o 
nent for monitoring logical and/or physical entities 
such as files, applications or drivers on the compu- 
ter platform; 

Fig. 13 illustrates schematically process steps op- 45 
erated by the agent and trusted component for con- 
tinuous monitoring of specified events on the com- 
puter platform; and 

Fig. 14 illustrates schematically process steps car- so 
ried out by and interaction between the monitoring 
agent and the trusted component for implementing 
the agent on the computer platform, and monitoring 
the existence and integrity of the agent on the com- 
puter platform. ss 



Detailed, Description of the Best Mode tor Carrying 
Out) the Wateotfen 

[0035] There will now be described by way of example 
the bast mode contemplated by the inventors for carry- 
ing out the invention. In the following description numer- 
ous specific details are set forth in order to provide a 
thorough understanding of the present invention. It will 
be apparent however, to one sldlled in the art, that the 
present invention maybe practiced without limitation to 
these specffte tfetaits. in other instances, well known 
methods and structures have not been described in de- 
tail so as not to unnecessarily obscure the present in- 
vention. 

[0Q3SJ In this specification, the term trusted" when 
used in relation to a physical or logical component, is 
used to mean a physical or logical component with 
which the behavior of that component is predictable and 
known. Trusted components have a high degree of re- 
sistance to unauthorised modification. 
[0007] In this specification, the term •computer plat- 
form 0 is used to refer to at least one data processor and 
at least one data storage means, usually but not essen- 
tially with associated communications facilities eg a plu- 
rality of drivers, associated applications and data files, 
and which may be capable of interacting with external 
entities eg. a user or another computer entity, for exam- 
ple by means of connection to the internet, connection 
to an external network, or by having an input port capa- 
ble of receiving data stored on a data storage medium, 
eg a CD ROM, floppy disk, ribbon tape or the like^The 
term "computer ptatform" encompasses the main data 
processing and storage facility of a computer entity 
[0038] Referring to Fig. 1 herein, there is illustrated 
schematically one example of a computer entity as pre- 
viously described in the applicant's European patent ap- 
plication entitled Trusted Computing Platform 1 , filed 15 
February 1 999 at the European Patent Office a copy of 
which is filed herewith, and the entire contents of which 
are incorporated herein by reference. Referring to Fig. 
2 of the accompanying drawings, thare is illustrated 
schematically physfcal connacfivfty of some of the com- 
ponents of the trusted computer entity of Fig. 1 . Refer- 
ring to Fig. 3 herein, there is illustrated schematically an 
architecture of the trusted computer entity of Figs. 1 and 
2, showing physical connectivity of components of the 
entity. 

[0039] In general, in the best mode described herein, 
a trusted computer entity comprises a computer plat- 
form consisting of a first data processor, and a first mem- 
ory means, together with a trusted component which 
verifies the integrity and correct functioning of the com- 
puting platform. The trusted component comprises a 
second data processor and a second memory means, 
which are physically and logically distinct from the first 
data processor and first memory means. 
[0040] In the example shown in Figs. 1 to 3 herein, 
the trusted computer entity is shown in the form of a per- 
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image data may comprise a photograph of a user. The 
image data on the smart card may be unique to a person 
using the smart card. 

($050] in the best mode herein, a user may specify a 
selected tegteal or physical entity on the computer plat- 
form, fo/ example a file, application, driver, port, inter- 
face or the Jike for monitoring of events which occur on 
that entity. Two types of mentoring may be provided, 
firstly ovMnwm monitoring over a predetermined pe- 
riod, whieh is set lay a user through the trusted compo- 
nent, end secondly, monitoring for specific events which 
occur m fin entity to particular, a user may specify a 
particular lit© of high value, or of restricted information 
content anil apply monitoring of that specified file so that 
any interactions involving that file, whether authorized 
or not, are automatically tesggsd and stored in a manner 
rn which the ©vents occurring on the file cannot be de- 
leted, erased or corrupted, without this being immedi- 
ately apparent. 

[0051] Referring to Fig. 4 herein, there is illustrated 
sehematicalfy an internal architecture of trusted compo- 
nent 202. The trusted component comprises a proces- 
sor 400, a volatile memory area 401 ; a non-volatile 
memory area 402; a memory area storing native code 
403; and a memory area storing one or a plurality of 
cryptographic functions, 484> the non-votatfte memory 
401 , naflve cod© memory 403 and cryptographic mem- 
ory 404 collectively comprising the second memory 
means hereinbefore referred to. 
[0052] Trusted component 202 comprises a physical- 
ly and logically independent computing entity from the 
computer platform. In the best mode herein, the trusted 
component shatss a motherboard with the computer 
platform so that the trusted component is physically 
linked to the computer platform. In the best mode, the 
trusted component is physically distinct from the com- 
puter platform, that is to say it does not exist solely as 
a sub-f unetionality of the data processor and memory 
means comprising the computer platform, but exists 
separately as a separate physical data processor 400 
and separate physical memory area 401 , 402, 403, 404. 
By providing a physically present trusted component, 
the trusted component becomes harder to mimic or 
forge through software introduced onto the computer 
platform. Programs within the trusted component are 
pre-loaded at manufacture of the trusted component, 
and are not user configurable. The physicality of the 
trusted component, and the fact ttiat the user compo- 
nent is not configurable by the user enables the user to 
have confidence in the inherent integrity of the trusted 
component, and therefore a high degree of "trust" in the 
operation and presence of the trusted component on the 
computer platform. 

[0053] Referring to Fig. 5 herein, there is illustrated 
schematically a logical architecture of the computer en- 
tity 500. The logical architecture has a same basic divi- 
sion between the computer platform, and the trusted 
component, as is present with the physical architecture 



described in Figs. 1 to3herein. That is tosay, the trusted 
component is logically distinct from the computer plat- 
form to which it is physically related. The computer entity 
comprises a user space 504 being a logical space which 

s is physically resident on the computer platform (the first 
processor and first data storage means) and a trusted 
component space 513 being a logical space which is 
physically resident on the trusted component 202. In the 
user spas© 504 are one or a plurtty of driv§m^D6, one 

10 or a plurality of applications prograrmiO?, afire storage 
area @©§; smart oard reader 103; mmrt ear#«feterface 
305; and a serftvssar© agettV511 wfrleh ^operates to per- 
form operations in the ctsfcr space and repeSfft back to 
trusted component 2®2. The trusted component space 

is is a logical area based upon ami physically resident in 
the trusted component, supported by the second data 
processor and second memory area of the trusted com- 
ponent. Ctofrrmation key device 104 inputs dfaectly to 
the trusted component space S13, and monitor 100 re- 

20 eoferes images dimctty from the trusted component 
space 513. Bctemaf to the computer entity are external 
comrnunfcatfons networks eg#te Internet ©01 . and var- 
ious local area networks, wide area networks 502 which 
are connected to the user space via the drivers 506 

zs which may include one or mom modem ports. External 
user smart card 603 inputs fffto smart card rea^^lOT in 
the user space. — 
[0054] In the trusted component space, are resident 
the trusted component itself, displays. gsneraieefcfey^e 

so trusted component on monitor 100- andtconfrrma^on 
key 1 04, inputting a confirmation signal viaEconf^rmafion 
ksy interface 30& - " 

[0055] Ret erring to Fig. 6 herein, within agent 541; 
there is provided a communications component €01 4or 

35 communicating with the trusted component 202; and a 
file monitoring component 600 the purpose of which is 
to monitor events occurring on specified logical or phys- 
ical entities, eg data files, applications or drivers on the 
computer platform, within the user space. 

40 [0056] Referring to Fig. 7 herein, there is illustrated 
schematically internal components on the trusted com- 
ponent 202 resident in trusted space 513. The trusted 
component comprises a communications component 
700 for communicating with software agent 511 in user 

45 space; a display interface component 701 which in- 
cludes a display generator for generating a plurality of 
interface displays which are displayed on monitor 100 
and interface code enabling a user of the computing en- 
tity to interact with trusted component 202; an event log- 
so ger program 702 for selecting an individual file, applica- 
tion, driver or the like on the computer platform, and 
monitor the file, application or driver and compile a log 
of events which occur on the file, application or driver; 
a plurality of cryptographic functions 703 which are used 

55 to cryptographically link the event log produced by event 
logger component 702 in a manner from which it is im- 
mediately apparent if the event log has been tampered 
with after leaving event logger 702; a set of prediction 
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described primarily in relation to data files, application 
programs and drivers, although it will be appreciated 
that the general methods and principles described here- 
in are applicable to the general set of components and 
facilities of the computer platform. By activating the drop 
down menu on each of selection boxes 1101-1 f 03, there 
is listed a corresponding respective list of data files, driv- 
ers, or applications wftfch are present on the computer 
platform. A user may select any of these files and/or ap- 
• plications and/or drtvers-by activating the pointing de- 
vise ©n the selected icon from the drop down menu in 
conventional manner in steps 904, 90S, 906. Addition- 
ally, the event monitor menu comprises an event select 
menu 1*04. The event select menu lists a plurality of 
event types which can be monitored by the event logger 
702 within the trusted component, for the file, application 
or driver which is selected in selection boxes 1101, 
1102, 1103 respectively. Types of event wMch can be 
monitored include events in the set file copied - the 
event of a selected file being copied by an application 
or user; file saved - the event of whether a specified file 
is saved by an application or user; file renamed - the 
event of whether a file has been renamed by an appli- 
cation or user; file opened - the event of whether a file 
is opened by an application or user; fWe overwritten - the 
event of whether data within a file has been overwritten; 
file read - the event of whether data in a file has been 
read by any user, application or other entity; file modified 
- the event of whether data in a fife has been modified 
by a user, application or other entity; file printed - the 
event of whether a file has been sent to a print port of 
the computer eratity; driver used - whether a particular 
driver has been used by any application or file; driver 
reconfigured - the event of whether a driver has been 
reconfigured; modem used - subset of the driver used 
event, applying to whether a modem has been used or 
not; disk drive used - the event of whether a disk drive 
has been used in any way, either written or read; appli- 
cation opened - the event of whether an application has 
been opened; and application closed - the event of 
whether an application has been closed. Once the user 
has selected the application, driver or file and the events 
to be monitored In dialog box 1100, the user activates 
the confirmation key 104, which is confirmed by confir- 
mation key icon 1105 visually altering, in order to acti- 
vate a monitoring session. A monitoring session can on- 
ly be activated by use of the dialog box 1 1 00, having the 
user's image 1001 from the user's smart card display 
thereon, and by independently pressing confirmation 
key 104. Display of the image 1001 on the monitor 100, 
enables the user to have confidence that the trusted 
component is generating the dialog box. Pressing the 
confirmation key 104 by the user, which is directly input 
into trusted component 202 independently of the com- 
puter platform gives direct confirmation to the trusted 
component that the user, and not some other entity, e. 
g. a virus or the like is activating the monitoring session. 
[0061] The user may also specify a monitoring period 



by entering a start time and date and a stop time and 
date in data entry window 1106. Alternatively, where a 
single event on a specified entity is to be monitored, the 
user can specify monitoring of that event only by con- 
s firming with pointing device 1 05 in first event only selec- 
tion box 1107. 

[0062] Two modes of operation will now be described, 
in the first mode of operation, continuous event moni- 
toring of specified entities over a user specified period 
w occurs. In the second mode of operation, continuous 
monitoring of a specified entity occurs until a user spec- 
ifted^event has&appeisedi orunttla user specified period 
for monitoring that user specified event has elapsed. 
[0069] In Fig. 12 herein, there is iHuslrated a proce- 
is dure for continuous monitoring of a specified logical or 
physical entity over a user specified monitoring period. 
[0064] Referring to Fig. 1 2 herein, there is illustrated 
schematically process steps operated by trusted com- 
ponent 202 in response to a user input to start an event 
so monitoring session as described with reference to figs. 
8 to 1 1 herein before. In step 1 050, display interface 701 
receives commands from the user via the dialogue box- 
es which are input using pointing device 105, keyboard 
101 via data bus 304 and via communications interface 
25 700 of the trusted component. The event logger 702 in- 
structs agent S11 in user space to commence: event 
monitoring. The instructions comprising event logger 
702 are stored within a memory area resident withirTf he 
trusted component 202. Additionally event logger 702: 
50 is also executed wfthin a memory area In ttoectsast&c* 
component. In contrast, whilst the instructions compris- 
ing agent 511 are stored inside the trusted components 
202 in a form suitable for execution on the host proces- 
sor ie in CPU native programs area 403 of the trust com- 
as ponent, agent 511 is executed within untrusted user 
space ie outside of the trusted component 202. Agent 
511 receives details of the file, application and/br drivers 
to be monitored from event logger 702. In step 1200, 
agent 51 1 receives a series of event data from the log- 
40 real entity (eg file, application or driver) specified. Such 
monitoring is a continuous process, and agent 511 may 
perform step 1200 by periodically reading a data file in 
which such event data is automatically stored by the op- 
erating system (for example in the Microsoft windows 
46 4.0™ operating system which contains the facility for 
logging events on a file). However, in order to maximize 
security, it is preferable the agent 511 periodically gath- 
ers event data itself by interrogating the file, application 
or driver directly to elicit a response. In step 1201 , the 
so collected data concerning the events of entity are report- 
ed directly to the trusted component 202, which then 
stores them in a trusted memory area in step 1202. In 
step 1203, the event logger checks whether the user 
specified predetermined monitoring period from the 
55 start of the event monitoring session has elapsed. If the 
event monitoring session period has not yet elapsed, 
event logger 702 continues to await further events on 
the specified files, applications or drivers supported by 
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dressed; a network address to which a file has been cop- 
ied, to which an application has addressed, or to which 
a driver has corresponded with. 
[G072] The event data stored in the event log may be 
physically stored in a data file either on the platform or s 
in the trusted somponent The event log data is secured 
using a chaNngfunction, such that a first secured event 
data is used to secure a second secured event data, a 
second secured event data is used to secure a third 
event data, etc so any changes to the chain of data are 10 
apparent. 

{0073} in addition to providing the secured event tog 
data, the trusted component may also compile a report 
of events. The report may be displaced on monitor 1 00. 
Items whteh may form the content of a report include the 15 
events as specified in the event tog above, together with 
the fQHowinf : time of an event, dale of an event, whether 
or not a passwofd was used, a destination of the file it 
is copied to, a size of a file (in megabytes), a duration a 
file or application has been open, a duration over which 20 
a driver has been online, a duration over which a driver 
has been used, a port which has been used, an internet 
address which has been communicated with, a network 
address which has been communicated with. 
[0074] Agent 511 performs event monitoring opera- & 
tions on behalf of trusted component 202, however 
whereas trusted component 202 Is resident in a trusted 
space 513, agent 51 1 must operate in the user space of 
the computer platform. Because the agent 511 is in an 
inherently less secure environment than the trusted 30 
space 513, there is the possibility that agent 511 may 
become compromised by hostile attack to the computer 
platform through a virus or the like. The trusted compo- 
nent deals with the possibility of such hostile attack by 
either of two mechanisms. Firstly, in an alternative em- <35 
bodiment the agent 511 may be solely resident within 
trusted component 202. All operations performed by 
agent 51 1 are performed from within trusted user space 
513 by the monitoring code component 600 operating 
through the trusted components 1 communications inter- *o 
face 700 to collect event data. However, a disadvantage 
of this approach is that since agent 511 does not exist, 
it cannot act as a buffer between trusted component 202 
and the remaining user space 504. 

[0075] On the other hand, the code comprising agent 45 
51 1 can be stored within trusted space in a trusted mem- 
ory area of trusted component 202, and periodically 
"launched" into user space 504. That is to say, when a 
monitoring session is to begin, the agent can be down- 
loaded from the trusted component into the user space so 
or kernel space on the computer platform, where it then 
resides, performing its continuous monitoring functions. 
In this second method, which is the best mode contem- 
plated by the inventors, to reduce the risk of any com- 
promises of agent 511 remaining undetected, the trust- ss 
ed component can either re-launch the complete agent 
from the secure memory area in trusted space into the 
user space at periodic intervals, and/or can periodically 



monitor the agent 511 in user space to make sure that 
it is responding correctly to periodic interrogation by the 
trusted component. 

[0076] Where the agent 511 is launched into user 
space from its permanent residence in trusted space, 
this is effected by copying code comprising the agent 
from the trusted component onto the computer platform. 
Where a monitoring session has a finite monitoring pe- 
riod specified by a user, the period ever which the agent 
511 exists in user spaceman be configured to coincide 
with the period of the monitoring session. That is to say 
the agent exists for the dmsglton of me monitoring ses- 
sion onJy, and once the monitoring session is over, the 
agent can be deleted from user/kernel space. To start a 
new monitoring session tor a new set of events and/or 
entities, a new agent can be launched into user space 
for the duration of that monitoring session. 
[0077] During the monitoring session, which may ex- 
tend over a prolonged period of days or months as spec- 
ified by a user, the trusted component monitors the 
agent itself periodically. 

[0078] Referring to Fig. 14 herein, there is illustrated 
schematically process steps carried out by trusted com- 
ponent 202 and agent 511 on the computer platform for 
launching the agent 611 vtfiich is downloaded from trust- 
ed space to user spaoe, and in which the trusted corn- 
portent monitors the agent 511 once set up and nanning ^ * - 
on the computer ptetform. -r* * * 3t • 

[0079] In step 1 400, native code comprising thasagent* -%ss% 
511 stored in the trusted components secure msmory ~m 
area is downloaded onto the computer platformstby the : 
computer platform reading the agent code direc%from * . rsr 
the trusted component in step 1401. In step 14K, tfee >> ' 
data processor on the computer platform commences - -4* 
execution of the native agent code resident in user 
space on the computer platform. The agent continues < 
to operate as described herein before continuously in 
step 1403. Meanwhile, trusted component 202 -gener- 
ates a nonce challenge message in step 1404 after a 
suitable selected interval, and sends this nonce to the 
agent which receives it in step 1405. The nonce may 
comprise a random bit sequence generated by the trust- 
ed component. The purpose of the nonce is to allow the 
trusted component to check that the agent is still there 
and is still operating. If the nonce is not returned by the 
agent, then the trusted component knows that the agent 
has ceased to operate and/or has been compromised. 
I n step 1 407 the agent signs the nonce and in step 1 408 
the agent sends the signed nonce back to the trusted 
component. The trusted component receives the signed 
nonce in step 1409 and then repeats step 1404 sending 
a new nonce after a pre-selected period. If after a pre- 
determined wait period 1406, commencing when the 
nonce was sent to the agent in step 1404, the trusted 
component has not received a nonce returned from the 
agent, then in step 1410 the trusted component gener- 
ates an alarm signal which may result in a display on 
the monitor showing that the agent 511 is incorrectly op- 
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compiling said event data into secure event data. 

5. The computer entity as claimed in claim 4, wherein 
said event logging component comprises means for 
applying a chaining function to said event data to 5 
produce said secure event data. 

6. The computer entity as claimed in claim 1 , further 
comprising a display Interface tor generating an in- 
teractive display comprising: 10 

means fear ©ejecting an entity of said computer 
platform to be monitored; and 

means for selecting at least one event to be is 
monitored. 

7. The computer entity as claimed in claim 1 , further 
comprising prediction means for predicting a future 
value of at least one selected parameter. 20 

8. The computer entity as claimed in claim 1 , further 
comprising a confirmation key means connected to 
said trusted component, and independent of said 
computer platform, for confirming to said trusted 2$ 
component an aythorisatton signal of a user. 

9. The computer entity as claimed in claim 1 , wherein 
logical entities to be monitored are selected from 
the set: 30 

at least one data file; 

at least one application; 

35 

at least one driver component. 

10. A computer entity comprising: 

a computer platform having a first data proces- 40 
sor and a first memory device; and 

a trusted monitoring component comprising a 
second data processor and a second memory 
device, wherein 45 

said trusted monitoring component stores an 
agent program resident in said second memory 
area, said agent program arranged to be copied 
to said first memory area for performing func- so 
tbns on behalf of said trusted component, un- 
der control of said first data processor. 

11. A computer entity comprising: 

55 

a computer platform comprising a first data 
processor and a first memory device; 



a trusted monitoring component comprising a 
second data processor and a second memory 
device; 

a first computer program resident in said first 
memory area and operating said first data proc- 
essor, said first computer program reporting 
back events concerning operation of said com- 
puter platform to said trusted monitoring com- 
ponent; and 

a second computer program said second com- 
puter program resident in said second memory 
area of said trusted component, said second 
program operating to monitor an Integrity of 
said first program. 

1 2. The computer entity as claimed in claim 1 1 , wherein 
said computer program monitors an integrity of said 
first computer program by sending to said first com- 
puter program a plurality of interrogation messages, 
and monitoring a reply to said Interrogation mes- 
sages made by said first computer program. 

13. The computer entity as claimed in claim 12,wherein 
a said interrogation message is sent in a first format; 
and returned in a second format, wherein said sec- 
ond format is a secure formal 

14. A method of monitoring a computer platform com- 
prising a first data processor and a first memory 
means, said method comprising the steps of: 

reading event data describing events occurring 
on at least one logical or physical entity com- 
prising said computer platform; 

securing said event data in a second data 
processing means having an associated sec- 
ond memory area, said second data processing 
means, said second memory area being phys- 
ically and logically distinct from said first data 
processing means and said first memory area, 
such that said secure event data cannot be al- 
tered without such alteration being apparent. 

15. The method as claimed in claim 14, where a said 
event to be monitored is selected from the set of 
events: 

copying of a data file; 

saving a data file; 

renaming a data file; 

opening a data file; 
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